[pmwiki-users] How to optimize php.ini

[Patrick R. Michaud]

On Tue, Sep 05, 2006 at 07:43:53PM +0100, Iain D. Brown wrote:
> Tom Lederer wrote:
> 
> >> Due to the recent affairs, i wondered if someone of greater
> >> knowledge could tip me how to set the options (those i can) in
> >> php.ini to use pmwiki at its best.
> 
> Pm replied:
> 
> > Here's my suggestions:
> 
> >     session.auto_start      Off
> >     session.use_cookies     On
> >     session.use_trans_sid   Off
> >     magic_quotes_runtime    Off   [1]
> >     magic_quotes_gpc        Off   [2]
> >     register_globals        Off   [3]
> >     display_errors          On for debugging, Off for production [4]
> >     session.cookie_lifetime 0
> 
> This, and Pm's very useful information in his message on PmWiki
> security vulnerability today, makes me wonder if someone has
> created a document on hardening PmWiki.

Actually, I'm planning to create a tool for it.  Essentially there
will be a cookbook recipe that one installs to provide diagnostic
output, and then a tool on pmwiki.org will analyze the site for
various known vulnerabilities and recommend improvements/changes,
along with links to pages on pmwiki.org that describe the
issue(s) in great detail.

> To ensure one's installation of PmWiki is as secure as possible,
> should I be following Pm's suggestions, above? Are there any
> implications for the functioning of my PmWiki site if I follow the
> above? Are there any other settings I should be securing?

The settings I gave above shouldn't affect the functioning
of an existing site at all.  The other things that are
worth securing are making sure that the wiki.d/ directory
isn't accessible to the web, and that passwords are set as
you expect.

Pm